Eric Rescorla
Wed, 27 Aug 2008 15:45:41 -0700
At Wed, 27 Aug 2008 16:10:51 -0400 (EDT), Jonathan Katz wrote: > > On Wed, 27 Aug 2008, Eric Rescorla wrote: > > > At Wed, 27 Aug 2008 17:05:44 +0200, > > There are a set of techniques that allow you to encrypt elements of > > arbitrary sets back onto that set. > > > > The original paper on this is: > > John Black and Phillip Rogaway. Ciphers with arbitrary ?nite domains. In > > CT-RSA, pages 114?130, 2002. > > But he probably wants an encryption scheme, not a cipher. Hmm... I'm not sure I recognize the difference between encryption scheme and cipher. Can you elaborate? > Also, correct me if I am wrong, but Black and Rogaway's approach is not > efficient for large domains. But if you use their approach for small > domains then you open yourself up to dictionary attacks. I suppose it depends what you mean by "small" and "large". A lot of the relevant values are things like SSNs, CCNs, etc. which fall in the 10-20 digit category, where the Luby-Rackoff approach is efficient. As I understand the situation, the cycle following approach is efficient as long as the set is reasonably close to the L-R block size. As far as dictionary attacks go, for any small domain permutation you have to worry about table construction attacks. The only defense I know of is randomized encryption which defeats the non-expansion requirement. WRT to the security of the L-R construction, Spies claims that I believe that Patarin's 2004 result [0] is relevant here, but I'm not qualified to evaluate it. Anyway, the reference I provided earlier [1] provides a summary of the claimed security properties of L-R + Cycle Following. -Ekr [0] Jacques Patarin. Security of random feistel schemes with 5 or more rounds. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 106?122. Springer, 2004. [1] http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ ffsem/ffsem-spec.pdf --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]